Appendix I — Examples of threat scenarios with a potential harmful impact on safety

The following is a non-exhaustive list of examples of information security threat scenarios with a potential harmful impact on safety that may be considered by authorities and organisations. 

Example 1: Aircraft to ATC digital communications

—         Threat vector assets/domain

—          ATC voice and ground automation systems

—          ground communications providers

—          air-ground/ground-air RF communications service providers

—          aircraft and the assets used for voice and datalink communications

—         Non-exhaustive summary of potential threats

—          threat (availability): exceeding system performance, saturation of communication channel

—          threat (integrity): man-in-the-middle or injection attacks

—          threat (confidentiality): passive listening to communication, spying on hardware device

—         Summary of threats scenarios and their potential harmful impacts on safety

—          Disruption of services prevents ATC communication with a single or multiple aircraft and/or ATC ground system.

—          Manipulation of data through a man-in-the-middle attack would present false information to the pilot and/or ATC system with the potential of creating a safety hazard or injection of data to the aircraft or ground systems to disrupt the service and capability. 

—          There are no specific regulatory requirements for encryption of data or voice for datalink communications; however, for confidentiality purposes, the assets used to provide and deliver the services should be controlled and limited to only those resources that require access to ensure that the services cannot be disrupted and manipulated in any way.

Example 2: Tampered air traffic data

—         Threat vector assets/domain

—          Internet service provider (ISP)

—          ATM services network(s)

—          surveillance data

—          ATC systems

—         Non-exhaustive summary of potential threats

—          ISP compromise (confidentiality): An attacker gains unauthorised access to the systems or infrastructure of the ISP providing network services to ATM system.

—          data tampering (integrity): Once the ISP is compromised, an attacker could manipulate data in transit. This could involve injecting false data or removing/modifying legitimate data.

—          denial of service (availability): an attacker could also potentially disrupt the communication of data entirely, resulting in a denial of service (DoS) to the ATM system.

—          malware injection (integrity/availability): An attacker could potentially use the compromised ISP as a launching pad to inject malware into the systems, causing further disruptions or enabling additional attacks.

—         Summary of threats scenarios and their potential harmful impacts on safety

—          ISP compromise: interception and/or manipulation of sensitive data, impacting the safe management of air traffic.

—          data tampering: incorrect situational awareness, potentially resulting in reduced separation between aircrafts, and incorrect air traffic control decisions.

—          denial of service: reduction of the ATC’s ability to ensure separation leading to the activation of contingency procedures, including capacity reduction, with the eventual possibility of large areas of airspace being closed.

Example 3: Aircraft operators’, CAMOs’ and aircraft maintenance organisations’ software supply chain and ground infrastructure, including equipment used to support aircraft management, operations and maintenance

—         Threat vector assets/domain

—          aircraft operators’, CAMOs’ and maintenance organisations’ supply chain

—          aircraft operator or maintenance internal ground infrastructure used to manage aircraft and operations (hardware/software) and other information technology assets

—          information technology assets used to update systems on an aircraft (software and hardware) used for maintenance activities

—         Non-exhaustive summary of potential threats

—          threat (availability): hardware/software/system disruption

—          threat (integrity): compromised hardware/software/system

—          threat (confidentiality): compromised hardware/software/system

—         Summary of threats scenarios and their potential harmful impacts on safety

—          Disruption to the dissemination of meteorological information while the aircraft is airborne, may reduce the ability of the flight crew to avoid potentially hazardous meteorological conditions (e.g. severe storms/fog at night).

—          Manipulation of navigation data/database will have the effect that flight plans and navigation displays cannot be trusted.

—          Lack of control and access to information such as fleet maintenance programme or flight crew planning affects the ability of organisations to maintain safe operations. 

Application of bow-tie analysis to this example

Two coordinated bow-tie analyses of different risk dimensions are combined, as the ultimate interest lies only in the aviation safety consequence.

Example 4: Design and production organisations’ software, supply chain, design and manufacturing ground infrastructure

—         Threat vector assets/domain

—          design and production organisations’ supply chain for parts, hardware and software

—          design and production organisations’ ground internal infrastructure used to manage software/hardware used in the manufacturing and development of products that will be used by aircraft manufacturers, operators or ATM/ANS ground automation systems (hardware/software) information technology assets

—          design and production organisations’ information technology assets used by their customers to update systems on an aircraft (software/hardware) used for maintenance operations or ATM/ANS ground automation systems

—         Non-exhaustive summary of potential threats

—          threat (availability): systems used to store, transmit and exchange information are rendered unavailable for essential operations through DoS attacks

—          threat (integrity): systems used to store, transmit and exchange information are compromised through man-in-the middle attacks

—          threat (confidentiality): systems used to store, transmit and exchange information are accessed by insider or external threats

—         Summary of threats scenarios and their potential harmful impacts on safety

—          Disruption of systems used to store, transmit and exchange information in a manner that would prevent the proper management of the aircraft and its systems and adversely affect the operations of the aircraft

—          Systems used to store, transmit and exchange information can no longer be considered trusted. If they are not maintained at a level to ensure that all information exchange, data and software can be considered trusted, both ground and aircraft operations are disrupted.

—          Uncontrolled access to systems used to store, transmit and exchange information (including information that is received and exchanged with the supply chain) can provide technical details that could be used to craft more sophisticated attacks targeting safety-critical systems. 

Example 5: Training system

—         Threat vector assets/domain

—          supply chain of all software and hardware that will be used in the training systems or training devices (including flight simulators) used to train pilot or ATM/ANS ground systems personnel

—          internal infrastructure used in of all software and hardware that will be used in the design, manufacturing or production of products (hardware or software) that will be used in aircraft or ATM/ANS ground systems

—          management of internal operating domains and system of all software and hardware that will be used in the design, manufacturing or production of products (hardware or software) that will be used in aircraft or ATM/ANS ground systems

—         Non-exhaustive summary of potential threats

—          threat (availability): training systems or training devices are rendered unavailable by means of DoS attacks when they are needed to be used

—          threat (integrity): training systems or training devices are compromised through man-in-the middle attacks

—          threat (confidentiality): functional models, information and data that are embedded in training systems or training devices are accessed by insider or external threats

—         Summary of threats scenarios and their potential harmful impacts on safety

—          Disruption of training systems (hardware and software) will have an impact on the organisations’ ability to maintain qualified staff. It would also prevent the aircraft and its systems from being properly operated and affect maintenance operations for ATM/ANS ground systems.

—          The training model or the failure modes and associated emergency conditions differ from the real aviation system behaviour and therefore induce inappropriate responses. If the training systems cannot be trusted, this will affect the ability of organisations to maintain sufficiently qualified staff for their operations (pilots, maintenance or ATM/ANS ground personnel who have been exposed to improper training should be re-qualified).

—          Lack of control and access to training systems affects the ability of organisations to maintain a training system that is known to be in a trusted state. In addition, uncontrolled access to training systems that embed functional models, information and data can provide technical details that could be used to craft more sophisticated attacks on the training system itself or on the real-world safety-critical system. 

Example 6: Airport’s fuel delivery system and associated infrastructure

—         Threat vector assets/domain

—          ground fuel storage and distribution infrastructure

—          digital systems used to control fuel pumping and metering

—          supply chain for fuel delivery, including third-party fuel suppliers

—          airport information technology assets used for fuel inventory management and scheduling deliveries

—         Non-exhaustive summary of potential threats

—          threat (availability): disruption of fuel supply or delivery systems

—          threat (integrity): tampering with fuel control systems or measurement devices

—          threat (confidentiality): unauthorised access to fuel supply and delivery data

—         Summary of threats scenarios and their potential harmful impacts on safety

—          Disruption to fuel delivery can lead to flight delays or cancellations, causing operational disruptions and potential safety issues if fuel reserves become critically low.

—          Tampering with fuel control systems or measurement devices could lead to incorrect fuel loads being delivered to aircraft, impacting aircraft weight and balance calculations, and potentially causing fuel exhaustion incidents.

—          Unauthorised access to fuel supply data could allow threat actors to manipulate fuel scheduling or inventory data, potentially causing disruptions to airport operations and fuel availability for aircraft.

Example 7: National competent authority’s NOTAM system and associated infrastructure

—         Threat vector assets/domain

—          National NOTAM system infrastructure and digital interface

—          Supply chain for NOTAM system maintenance and updates

—          National competent authority’s IT assets used for NOTAM creation, distribution, and storage

—         Non-exhaustive summary of potential threats

—          threat (availability): disruption of the NOTAM system or its access

—          threat (integrity): tampering with NOTAM data or unauthorised NOTAM creation

—          threat (confidentiality): unauthorised access to NOTAM data

—         Summary of threats scenarios and their potential harmful impacts on safety

—          Disruption to the NOTAM system could prevent the dissemination of critical aeronautical information to pilots and air traffic controllers, potentially leading to safety issues.

—          Tampering with NOTAM data or unauthorised creation of NOTAMs could lead to incorrect information being disseminated, potentially resulting in pilots making decisions based on false or misleading data.

—          Unauthorised access to NOTAM data could lead to information leakage, potentially revealing sensitive operational information.

Example 8: Aviation authority’s airworthiness directive (AD) system and associated infrastructure

—         Threat vector assets/domain

—          EASA AD system infrastructure and digital interface

—          supply chain for AD system maintenance and updates

—          EASA IT assets used for AD creation, distribution, and storage

—         Non-exhaustive summary of potential threats

—          threat (availability): Disruption of the AD system or its access

—          threat (integrity): tampering with AD data or unauthorised AD creation

—          threat (confidentiality): unauthorised access to AD data

—         Summary of threats and their potential harmful impacts on safety

—          Disruption to the AD system could prevent the dissemination of critical airworthiness information to aircraft operators and maintenance organisations, potentially leading to safety issues.

—          Tampering with AD data or unauthorised creation of ADs could lead to incorrect information being disseminated, potentially resulting in aircraft operators and maintenance organisations making decisions based on false or misleading data.

—          Unauthorised access to AD data could lead to information leakage, potentially revealing sensitive operational information.